Using Python/libnitrokey with Nitrokey HSM under macOS

Hi all,

I’m currently programming for the Nitrokey HSM under macOS High Sierra 10.13.3.

I’ve initialised the HSM, generated the DKEK and generated key pairs without any trouble. I’ve also tested with sc-hsm-tool to make sure there are no errors.

I compiled libnitrokey and used the Python bindings example, however I can’t get past the login process. As far as I can tell I’ve set up the device correctly, but wasn’t sure if I needed to call something else to get this to work or if I needed to call it at all.

I set debug to true and set the debug level to highest, however the output wasn’t useful:

[Tue Feb 27 15:45:27 2018][DEBUG_L2]	setDefaultDelay
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	setDefaultDelay
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	connect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_connect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Connection success: 0
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	connect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_connect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Connection success: 0
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	total_comm_runs 0,
    communication_successful 0,
    (
        command_successful_recv 0,
        command_result_not_equal_0_recv 0,
    ),
    sends_executed 0,
    recv_executed 0,
    successful_storage_commands 0,
    total_retries 0,
    (
        busy 0,
        busy_progressbar 0,
        CRC_other_than_awaited 0,
        wrong_CRC 0,
    ),
    low_level_reconnect 0,
    sending_error 0,
    receiving_error 0,
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	disconnect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnectSTORAGE
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Disconnection success: 1
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	total_comm_runs 0,
    communication_successful 0,
    (
        command_successful_recv 0,
        command_result_not_equal_0_recv 0,
    ),
    sends_executed 0,
    recv_executed 0,
    successful_storage_commands 0,
    total_retries 0,
    (
        busy 0,
        busy_progressbar 0,
        CRC_other_than_awaited 0,
        wrong_CRC 0,
    ),
    low_level_reconnect 0,
    sending_error 0,
    receiving_error 0,
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	disconnect
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnectPRO
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	_disconnect *IN* 
[Tue Feb 27 15:45:27 2018][DEBUG_L2]	Disconnection success: 1
Could not connect to Nitrokey

Any pointers would be appreciated.

Hi,

may I misunderstood something, but the libnitrokey is the basis for working with Nitrokey Pro and Nitrokey Storage. The HSM is not used with this lib… You should have a look at OpenSC project instead.

@szszszsz can you please confirm?

Kind regards
Alex

Hi @paulmalyschko!

Sorry, I have not got email notice about your post somehow and I missed it.
As @nitroalex mentioned, libnitrokey at the moment supports only additional (that is, besides smartcard) features of the Pro and Storage devices - Password Safe, OTP and encrypted storage.
For Smartcard-related functionality OpenSC should be best with Nitrokey HSM. For Pro, Start and Storage better would probably be GPGME.
I will update libnitrokey's readme to make that clear.

Could I ask what were your initial plans? I could perhaps give you some more clues.

Edit: here I have made a brief Pro vs HSM comparison

It seems the e-mail server wasn’t delivering. I got a heap of e-mails at the same time which I was expecting a week ago when trying to confirm my e-mail address. Oh well.

Apologies I’ve never worked with smartcard technology, so it’s all new to me. I eventually made the connection that libnitrokey was only for the Storage and Pro. The clues were there, but it wasn’t explicitly mentioned, so I wasn’t sure.

Initial plans are to demo initialising and encrypting/decrypting files programmatically in Python, but looks like I’ll have to use a package like python-pkcs11 for that. At the moment I’m just calling the same command line programs in the documentation.

I’m about to write the encryption/decryption part right now, shouldn’t be too hard.

Looks like it. Sorry about that.

No needed! This is what forum for is. I will make sure this is explicit to avoid confusion.

We actually have a similar project, if you would like to peek - Nitrokey Encryption Tool.

I had a quick look, and it helped me organise my thoughts. I ended up making a Nitrokey Python package (though it’s not closed to finished), which I’d like to open source at some point if I can convince my employer to do so.